Version 2.6.0.1

New Feature: Automatic CSRF Protection

A feature that previously required custom coding and setting proper configuration options is now automatically enabled in CKFinder 3 and requires no manual setup. The built-in CSRF protection additionally improves the security of authenticated users: when a malicious website contains a link, a form button or some JavaScript that is intended to perform unwanted action using the credentials of a logged-in user who visits the malicious site, CKFinder will now detect and block such attempts

Security Updates

Fixed DOM XSS and reflected XSS vulnerabilities.

New Feature: Automatic CSRF Protection

A feature that previously required custom coding and setting proper configuration options is now automatically enabled in CKFinder 2 and requires no manual setup. The built-in CSRF protection additionally improves the security of authenticated users: when a malicious website contains a link, a form button or some JavaScript that is intended to perform unwanted action using the credentials of a logged-in user who visits the malicious site, CKFinder will now detect and block such attempts

Other New Features and Major Changes

A new Bootstrap skin has been added.

The flash upload component used to handle multiple file uploads in old version of Internet Explorer (IE9 and IE8) has been removed. As a result, the file upload feature will now fallback to a single file upload on browsers without HTML5 File API support.

Fixed Issues

Fixed: Using up arrow key in List View to move between files did not work.

Security Updates

As a result of security testing and hacking that we did on CKFinder 3 we discovered some potential security concerns in the server-side part of the application. These issues affected actions that only authenticated users could perform solely in locations specified in your CKFinder backends configuration, but since in some cases it was possible to skip ACL checks or file extension checks, an upgrade is highly recommended.

Due to insufficient checks in the ASP.NET connector, an authenticated user using the built-in DownloadFile command could download any file from the server (with an extension allowed in defined resource types, as well as without any extension), when providing an absolute path to the file.

Version 2.3.1.1 (ASP)

It was possible to perform DOS attack by users authorized to use the sever connector and with permissions to upload files (ASP, PHP, ColdFusion).

It was possible to cause Denial of Service to files and folders on certain servers (like Apache) by users authorized to use the sever connector and with permissions to create folders. The attack was possible only inside a folder to which user had "create folder" permissions.

Added new translation: Serbian.

Updated translations: Catalan, Chinese, Japanese.

Folders that start with a dot character are now disallowed by default.

Fixed auto-renaming of files with multiple extensions:foo.tar.gz will be renamed tofoo(1).tar.gz on second upload.

Maximize did not work when CKFinder was added withappendTo()

IntroducedCheckDoubleExtension configuration option.

Avoid infinite loop if the configuration for thumbnails is removed instead of disabled.

Version 1.3.1

Attention: New feature added that may cause compatibility issues in rare situations. The number of arguments passed from CKFinder to the "SelectFunction" has changed. In the second argument, an object with additional data is now passed.

Added control over the startup path. It is now possible to point CKFinder into selected resource type/folder.

Improved thumbnails support: it is now possible to define a custom function that will be triggered when thumbnail is selected (SelectThumbnailFunction).

New configuration option added to access thumbnails directly, if enabled, thumbnail requests are passed to the connector only if one should be created.

Improved protection against caching of thumbnails by browser.

Introduced RememberLastFolder setting - if enabled, CKFinder will remember the last used folder.

Improved the routine to show all the errors sent by the server connectors.

Improved the control over popup mode - it is now possible to disable auto-closing of CKFinder window.

Added support for passing CKFinder settings as an object in the javascript integration class.

Added example explaining how to open CKFinder in selected folder.

Fixed security issues in the server connector.

Improved the quality of resized images if quality is set to over 80.

Fixed issues with thumbnail generation ("String was not recognized as a valid DateTime").

Resized gif and bmp images are not being changed into png anymore.

Fixed the issue with generating png image from a jpg file if the extension was in uppercase.

Fixed issues with invalid .htaccess in the userfiles directory when PHP was running as CGI

Added sample Application.cfc and Application.cfm files in the root directory.

CKFinder now works fine when debugging is enabled.

Fixed problems with creating thumbnails of files with uppercase extension.

Thumbnails were not generated for images with "jpeg" extension.

Improved the parsing of max size for file uploads.

Fixed problems with uploads>1Mb if the checkSizeAfterScaling setting was enabled

Fixed problem with debug option in some situations

Improve handling of the error if the upload is bigger than the limit allowed by the server

Added another image component library: Shotgraph. You must have a full registered version, the demo doesn't even allow resizing.

If the extension was in uppercase, the asp.net resizing did generate png files instead of jpg files.

The thumbnails of bmp and gif files were really png files.

If the component was set to "auto" the autodetection routine did left one empty file for each request in the temp folder. You can delete all the ckfindertemp files. Note: For better performance, set the component that you want to use instead of letting it as "Auto".

If the CKFinder was protected with Basic Authentication, the calls to Asp.Net did fail. Automatically reuse the authentication.

Added support to use the Asp.Net image resizing even if the server runs in a non-standard port.

Attention: The ckfinder.config file has been replaced with config.ascx, which now uses pure C# syntax instead of XML. It makes it possible to add any kind of code in the settings, giving much more flexibility. Previous configuration files must be "translated" to the new format.

Attention: Some additional security features have been introduced, changing the behavior present on previous versions:

The CheckAuthentication() function has been introduced in the configuration file. It must return "true" to CKFinder to work. Pay attention to the comments you will find there.

Allowed/denied extensions list is now used to filter displayed files. In previous versions it was used only to restrict file uploads

In the default config file, the allowed extensions list is now defined instead of denied extensions list (white list approach).

Automatic detection of invalid image files on upload.

Disabling the upload if HTML is found inside specific files to prevent against UXSS.

Introduced CKFinder for ASP and CKFinder for ColdFusion.

Full server side source code is now available.

CKFinder is now compatible with Safari 3 (WebKit based browsers) and Opera 9.5.

CKFinder is now fully compatible with FCKeditor 2.5, including QuickUpload support.

New configuration option added to set maximum dimension of uploaded images.

Improved speed of thumbnails loading by CKFinder. HTTP code 304 is being sent whenever possible.

An alert message is now displayed when the "View" popup is blocked by the browser.